RedBoot Ransomware

RedBoot Ransomware, also known as Bootlocker, is a dangerous threat as it might both ruin user’s personal data and make the computer unbootable. Apparently, the malware encrypts valuable data located on the computer and then modifies the Master Boot Record (MBR) file. Consequently, the infected device boots to a red screen showing a ransom note instead of loading the computer’s operating system. At the moment of writing, it does not look like there is a way to restore the locked files, but it is possible to restore the MBR file, although it might be risky. The instructions located at the end of this text will show you how to complete this task and how to eliminate RedBoot Ransomware. Those who would like to find out more details about the malicious application’s working manner we could advise reading the rest of the text.

The malicious application is still a rather new threat, and so computer security specialists are not sure how exactly RedBoot Ransomware might enter the system. Probably, the most likely scenario is distribution through Spam emails. In which case the user would only need to download and launch the malicious attachment, and the computer should get infected right away. As you realize, opening files received from unknown sources is never a good idea and if you do wish to protect your device from malware or your sensitive data from ruin you should be extra cautious. For instance, before opening any suspicious attachment, the user could scan it with a reliable antimalware tool to ensure it is safe to launch it. Such a tool can be acquired at any time, so there is no need to worry if you did not pick a security tool yet.

After the device is attacked the malware should complete eight tasks before the red screen with a ransom note is presented. Firstly, the threat might place five specific files (assembler.exe, boot.asm, boot.bin, overwrite.exe, main.exe, protect.exe) in a randomly named folder located in the directory where the RedBoot Ransomware’s launcher was opened. Then, using the assembler.exe, the malicious application starts compiling the boot.asm file. During third and fourth step it creates boot.bin while boot.asm and assembler.exe are both deleted. The fifth step is to replace the original MBR file with a malicious copy called boot.bin; it is done by employing the overwrite.exe file. Later the threat should launch main.exe and encrypt user’s personal data with a strong cryptosystem. According to our specialists, each file that is locked gets a second extension called .locked, for example, picture.jpg.locked.

The next task the malware completes is launching the so-called protect.exe file, which is used to kill user’s Task Manager and Process Hacker, so the user could not interfere with the encryption process. Afterward, the malicious application should make the computer restart, and unfortunately, the device might boot to the mentioned red screen with a ransom note. This message could ask you to contact the infection’s creators, and if you do, they might try to convince you to purchase a decryption key or promise to restore files if you pay a ransom. Needless to say, dealing with these people would be extremely risky as the user would most likely lose the invested money in vain. Our researchers could not make any RedBoot Ransomware’s screenshots, but they confirm the displayed red screen does not contain any boxes where you could place the decryption key. Therefore, we advise not to take any chances and remove the malware at once.

To erase RedBoot Ransomware, you would first need to restore the modified MBR file so that the computer could boot to Windows once again. The first part of the deletion instructions located below this text will explain how to achieve this and the second part will show you how to get rid of the malware. We should also mention users could employ an antimalware tool as well after they restore the MBR file. Meaning, instead of removing the malicious application manually yourself you could install a reliable antimalware tool, click the scanning button and wait till it detects the infection of other possible threats. Then simply click the deletion button and the software should deal with all threats listed in the report.

Restore Master Boot Record

Windows XP

Insert Windows XP CD.

Press any key as instructed to boot from the CD.

Press the R key after seeing a screen saying “Welcome to Setup.”

Type 1 and click Enter when asked: “Which Windows installation would you like to log onto?”

Enter your password when required and click Enter.

Type fixmbr when asked: “Are you sure you want to write a new MBR?”

Then press the Y key and click Enter.

Tap Enter again and wait till MBR is fixed.

Take the CD out.

Type exit and click Enter to reboot the device.

Windows Vista

Boot from Windows Vista CD/DVD.

Pick the language and keyboard layoutpreferences.

Select the Repair your computer option, pick the operating system and click Next.

Choose CommandPrompt, type the following commands into it and press Enter after eachcommand:
bootrec /FixMbr
bootrec /FixBoot
bootrec /RebuildBcd

Provided the MBR was fixed you will see aconfirmation.

Take out the CD/DVD.

Type Exit and click Enter to reboot the computer.

Windows 7

Insert the Windows 7 DVD.

Press any key as required to boot into the DVD.

Choose language and keyboard layoutpreferences, then click Next.

Pick the operatingsystem, mark the Use recovery tools that can help fix problems starting Windows option and press Next.